Organizations that are looking for security features including identity management, encryption and access control -- and at the same time want to take advantage of the cost and flexibility benefits of the cloud -- might check into security-as-a-service offerings available now from several vendors.
In this scenario, security is delivered as a service from the cloud, without requiring on-premises hardware. "The largest benefit to using security as a service is the ability to avoid sometimes substantial capital outlays," says Lawrence Pingree, a research director at Gartner Inc. who covers the security market.
In addition, Pingree says, some of the cloud-based security services provide the flexibility needed to address certain use cases. For example, email filtering services are popular since some mobile device platforms limit the ability for endpoint protection products to run on them.
"They wanted to charge us for a service that did nothing," at least most of the time, Diab says, so Sirva began looking for DR options where it would pay only for services it was actually actively using.
Cloud applications, including security, cost about 25% less than they would via traditional licensed software, Diab says. In addition to cost savings, Sirva is benefiting from the reduced internal support needed for things like applying hardware and software patches and bringing systems back up after an outage -- vendors perform those tasks now.
At the same time, the company has been gradually retiring some of its aging servers and moving applications to the cloud. The level of maturity of cloud services is no longer an issue, Diab says, and in fact many cloud-based offerings have proven to be reliable in terms of providing high-performance services globally, which is increasingly important as the company expands its overseas operations and looks to standardize on hosted services.
Cloud-based vulnerability management
Cox Communications, a broadband communications and entertainment company in Atlanta, relies heavily on two security-as-a-service offerings. One is for vulnerability management and one for application security static and dynamic analysis, says Jay Munsterman, director of security engineering.
Static analysis is automated review of source code or binaries, and dynamic analysis pertains to live Web applications, Munsterman explains.
Those results included the speed and thoroughness with which the company was able to roll out its application security program. "Our champions were internal folks who worked with all the parties the program touched, to provide hands-on training and to handle feedback quickly and fairly," Munsterman says. "Within the development teams a few security-minded leaders stepped forward to help us present the program and position the partnership between development and security, rather than allow it to appear as a security mandate."
Getting people to buy in on the concept of security-as-a-service is not the only challenge.